“The Cyber Conflict Studies Association’s two-year study has lead to the sobering conclusion that the current strategic cyber environment is fundamentally unstable,” said the report, previewed for the press today at the Atlantic Council in Washington, DC. (Click here to download). Cyberspace is “marked by an inability to establish credible deterrence.” It is so much easier to attack than to defend, and so difficult to figure out who attacked you, that attackers cannot be reliably deterred either by strengthening your defenses or by threatening retaliation.

There were some bright spots in the report. It downplays the threat of what’s often called a “cyber Pearl Harbor,” noting that predictions of a massively disruptive attack have been made for a decade without coming true. Even the alarming attacks on Estonia in 2007 and on Georgia in 2008 – generally assumed to have been launched by Russia – amounted to short-term denial and disruption of services, not lasting damage to the network, let alone physical destruction.

“While Stuxnet is considered the new pinnacle of cyber threats” because it was able to do – limited – physical damage to real-world machinery, the report argues, “cyber espionage, not cyber attack or cyber war, is currently the most pressing risk for the United States in cyberspace.” The problem isn’t some prospective “cyber 9/11″ in the future, the report argues: It’s the persistent, determined, and sophisticated theft of data from the government and private businesses that’s happening right now.

Certainly the government is taking the espionage threat seriously: “It’s the greatest transfer of wealth in history,” said Gen. Keith Alexander, who heads both the US Cyber Command and the National Security Agency, during an event yesterday at the American Enterprise Institute. Other experts at the event estimated the loss of American intellectual property, chiefly to China, at about a trillion dollars. However Gen. Alexander expected threats to escalate beyond mere theft of data, as damaging as that is.

“What I think we really need to be concerned about is when these transition from disruptive to destructive attacks,” he said. Disruption simply takes a service, network, or computer offline for a time, as in Estonia and Georgia: “A destructive attack would simply make your computer not work anymore,” for example by fatally compromising the built-in firmware it needs to run, said Alexander. “Those are coming up and we have to be ready for that.”

Gen. Alexander’s approach to the problem depends on Congress passing new cyber-security legislation setting standards for data-sharing and other collaboration between the private sector and the federal government. There the CCSA report holds out some hope, because it argues that after an initial “Wild West” period of online anarchy, governments are increasingly able to assert their control over cyberspace – although it adds that authoritarian regimes like China are doing a better job than the democracies.

In the long run, the report concludes, the United States “cannot expect to achieve cyber stability alone. The U.S. Government has limited influence on the fundamental causes of cyber instability and they look to get worse for an extended period. We cannot construct a safe haven, nor does a cyber high ground exist to seize and hold.” The only option is cooperation – with foreign nations, with business, and with other non-state actors.